Angel R. Rivera ([EMAIL PROTECTED]) said something to this effect:
> Ok folks, I am stumped.
>
> I am writing an authentication handler for our site and so far so good->it is
> coming on line. It makes sense. What does not make sense is how can
> I log myself off without having to exit the browser? If someone can point me
> in the right direction I shall be in your debt. TIA, -ar
If you are using Apache's authentication (i.e., having Apache send an Auth
Required header), then the only way is to close the browser.
The approach I like is something like this:
It requires two AuthHandlers, and cookies.
Set up a Location that doesn't exists, like /some/where/that/doesnt/exist,
and set your first AuthHandler to work on that uri. In this auth handler,
do the password checks and set a cookie if the checks pass (i.e., return OK),
or return AUTH_REQUIRED.
For every page you want protected, create a second AuthHandler that checks
for this cookie. If it exists, then the user has visisted you first handler
(the one on the non-existent location) and has authenticated there.
Why 2 handlers, and why a non-existent location? If you use a real location,
the the browser will send it's own Auth headers, which is precisely what you
want to avoid (this is what can't be logged out). The second handler merely
checks for the existence of that cookie, no other checks are necessary. If
it is missing, then redirect to the login Location, possibly with some
redirect info back to the current URI.
(darren)
--
Cole's Law: Thinly sliced cabbage.
